Yep, Donn is right. VPNs just kill the CPU on a router even if you have the AIM card that offloads the encryption and decryption. Routers can serve as VPN end points, but they are not optimized for that task.
If you are trying to push 10 to 11 Mbps of VPN traffic through a 2811, it is amazing that it has not been crashing and smoking. The 2811 is rated at 1.536 Mbps of process switching bandwidth. If you must use a router, look at the specs for the 2900 series; they have dual-core CPUs on them, perform encryption and decryption in hardware on the motherboard (no AIM card needed) and blow the pants off their 2800 series counterparts (i.e. A 2921 compared to a 2821). cjw > > Message: 1 > Date: Thu, 7 Oct 2010 11:45:02 -0700 > From: "Lasher, Donn" <dlas...@newedgenetworks.com> > To: "James Graebner [VPNtranet]" <jam...@vpntranet.com>, > <cisco-nsp@puck.nether.net> > Subject: Re: [c-nsp] High CPU util on a 2811 with two ipsec tunnels > Message-ID: > > <c97f73e15f1f0d48a3ac0c423f8c221a02b9e...@rancor.ad.newedgenetworks.com> > > Content-Type: text/plain; charset="us-ascii" > > > In my experience, two things hammer the CPU for IPSEC tunnels: > > 1. mGRE is not accelerated by the hardware. > 2. Fragmenting Packets, lower MTU/MSS, CPU driven. > > Pretty common to see 2811's out of CPU with 10-11M of IPSEC payload in a > tunnel, in my experience. > > > _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/